An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
CVE-2023-5115 - Medium Severity Vulnerability
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/be/27/a4ee8ec50cdfa87385e1181da8bb4b3205d8e669d13393b747baaa01f45a/ansible-core-2.11.1.tar.gz
Path to dependency file: /packages/react-server-website/deployment/requirements.txt
Path to vulnerable library: /packages/react-server-website/deployment/requirements.txt
Dependency Hierarchy: - ansible-4.0.0.tar.gz (Root Library) - :x: **ansible-core-2.11.1.tar.gz** (Vulnerable Library)
Found in HEAD commit: fc4f63cd9d7cfd34b5d6322a49f9b670bd83cb27
Found in base branch: master
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
Publish Date: 2023-12-18
URL: CVE-2023-5115
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2023-12-18
Fix Resolution (ansible-core): 2.13.13
Direct dependency fix Resolution (ansible): 6.0.0